Calling principal does not have required MSGraph permissions
I have a Runbook (Automation Accounts) parsing AAD SignIn and Audit logs, however, when it executes Get-AzureADAuditSignInLogs I'm getting the following error:
`Get-AzureADAuditSignInLogs : Error occurred while executing GetAuditSignInLogs Code: Authentication_MSGraphPermissionMissing Message: Calling principal does not have required MSGraph permissions AuditLog.Read.All`
The Managed Identity I'm using in Runbook has Security Reader role, but it doesn't seem to be enough?
I got the same error when I checked in powershell:
Note: The AuditLog.Read.All permission is an application permission which is part of Microsoft Graph API and not a built-in role in Azure Active Directory (AAD).So it must be granted through an app in azure ad
Create an app in azure ad tenant .For that app create client secret and certificate and note down secret value and certificate thumbprint for both
Give the AuditLog.Read.All Api permissions to it and grant admin consent .
And then go to the azure automation account.
Access control IAM blade > add role assignment > security reader or Contributor role to the application
Here I gave Owner role .
In automation account Add a credential button. Enter name and the service principal credentials which are "Application (client) ID" and the "Client Secret".
Then the script to run audit logs can be run successfully
$credential = Get-AutomationPSCredential -Name "myrunbookcred"
Connect-AzureAD -TenantId "xxxxxxx" -ApplicationId "axxxxxxxx26 " -CertificateThumbprint "1C6BFB53xxxxxxxxxxx3CD401" -Credential $credential
Get-AzureADAuditSignInLogs
- Powershell hashmap: nested filtering
- How to propagate -Verbose to module functions?
- How do I find out from powershell if I am on a server or workstation?
- Optimizing a PowerShell Script
- How to `Import-Module` in PowerShell to parent session/process?
- `Invoke-Conda` cannot catch any arguments after powershell 7.5.0 update
- close and 'save as' for 100 of MS Paint files at once?
- Powershell profile.ps1 cannot be loaded because its operation is blocked by software restriction policies
- How can I capture the value of an untranslated SID in a Try/Catch code block?
- PowerShell .Count returns 1 on empty array
- How can I filter out text twice in Powershell?
- SharePoint | Delete Version History using PnP PowerShell
- Is it possible to list only files deleted from TFS using tf dir?
- WinRM cannot complete the operation. Verify that the specified computer name is valid
- Using start-process in a loop, where some programs will have arguments and some don't; Way to not have if $Arguments -ne $null
- How can I set left/right column justification in Powershell's "format-table"
- Invalid operands found for operator -eq
- Detect when user cancels $host.ui.promptforchoice prompt
- How can I make sure Powershell will correctly render all non-latin characters into the output?
- How can I choose between $MyInvocation.ScriptName and $MyInvocation.PSCommandPath in PowerShell?
- Azure pipeline template: dynamically retrieve and story keyvault secrets
- Maintaining property order with get-member
- PowerShell - Return an array of all possible properties for an ADObject
- List objects vs. Arrays in PowerShell
- Run Invoke-Command in remote computer as administrator
- Authenticate to Azure with certificate from Linux
- How to recursively append to file name in powershell?
- Mapped network drives are not showing in My Computer
- Delete files in a folder except a list of extensions I specify
- How to open 'This PC' using CMD or Powershell?